Unblocking Blockchain Boundaries

Should we include personal data on a blockchain?

You can, but complying with the obligations in the GDPR is a challenge, especially because as a principle it’s impossible to change or delete information on a blockchain. Therefore we strongly recommend that you incorporate data protection principles in every blockchain (privacy by design) and ensure that default settings keep processing to a minimum (privacy by default). For further security you should store all identifiable personal data off-chain and limit data stored on the blockchain to links or hashes.

By setting up a clear governance structure. For instance, using a private blockchain that is permissioned (invitation only) instead of permissionless (open to everyone), enables you to assign different rights to different parties and makes it easier to determine who is responsible for complying with the GDPR. Once this is structure is in place, draw it up into a document and enter into the necessary data processing agreements, data sharing protocols and commercial contracts with all blockchain participants.

What else should we keep in mind when introducing a blockchain solution?

As with every IT project, it’s important to make clear arrangements about the allocation of the intellectual property rights. And as always when using new technology, a good starting point is executing a Data Privacy Impact Assessment (DPIA). Keep the data subjects up to date by means of a privacy policy and perform regular security audits. Finally, you must be able to detect, investigate, and report data breaches as soon as they occur. Having a security incident response plan and clear procedures in place will help a dedicated data breach team to act swiftly and effectively.